Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS #154

Merged
merged 4 commits into from
Aug 22, 2023
Merged

Support TLS #154

merged 4 commits into from
Aug 22, 2023

Conversation

shiyuhang0
Copy link
Contributor

@shiyuhang0 shiyuhang0 commented Apr 26, 2023
edited
Loading

close #118
works based on @codeflows, thanks for his excellent work.

Implement

I think there is no need to implement TLS handshake ourselves, we can just use Deno.startTls to do that. Thus, TLS will be limited by it. I have opened a PR request for more abilities denoland/deno#18851

  • MTLS is not supported

Configurations

provide two configurations

  • tls.mode (disabled or verify_identity): hard to implement other modes limited by Deno.startTls
  • tls.caCerts

Test

  1. I have tested it locally with some mysql-compatible serverless database
  • works with planetScale whose cert is signed by Let's Encrypt
  • works with TiDBCloud serverless tier whose cert is signed by Let's Encrypt
  • works with TiDBCloud dedicated tier whose cert is self-signed
import { Client } from "./mod.ts";
const planetscale = async () => {
    const client = await new Client().connect({
        hostname: "aws.connect.psdb.cloud",
        username: "zaibc8chxlig2v0qevme",
        password: "****",
        port: 3306,
        tls: {
            mode: "verify_identity",
        },
    });
    const { rows: users } = await client.execute(`show databases`);
    console.log(users);
    await client.close();
};
const tidbcloudserverless = async () => {
    const client = await new Client().connect({
        hostname: "gateway01.eu-central-1.prod.aws.tidbcloud.com",
        username: "***.root",
        password: "****",
        port: 4000,
        tls: {
            mode: "verify_identity",
        },
    });
    const { rows: users } = await client.execute(`show databases`);
    console.log(users);
    await client.close();
};
const tidbclouddedicated = async () => {
    const client = await new Client().connect({
        hostname: "tidb.hsqimmori8j.clusters.dev.tidb-cloud.com",
        username: "root",
        password: "****",
        port: 4000,
        tls: {
            mode: "verify_identity",
            caCerts: [
                await Deno.readTextFile("ca.pem"),
            ],
        },
    });
    const { rows: users } = await client.execute(`show databases`);
    console.log(users);
    await client.close();
};
planetscale()
tidbcloudserverless()
tidbclouddedicated()
  1. I have tried a lot to test MySQL and MariaDB, but failed to open SSL or generated the right self-signed cert for them. Thus, this pr does not have tests now. I will try it at another time, but I think it is also ready to be reviewed for it has been tested for some cloud products with tls.

compatibility

  • can‘t work with the Deno version which does not support starttls
  • have not tested the compatibility with MySQL and MariaDB. I think the compatibility issue may exist. But we can't do more about it because it depends on howDeno.startTls handles the TLS. For example, how to verify hostname

@shiyuhang0 shiyuhang0 changed the title support tls Support tls Apr 26, 2023
@shiyuhang0 shiyuhang0 changed the title Support tls [WIP]Support tls Apr 26, 2023
@shiyuhang0
Copy link
Contributor Author

@lideming PTAL, this pr lacks tests but I think it is also ready for review. I will continue trying to add test for it

@shiyuhang0 shiyuhang0 changed the title [WIP]Support tls Support TLS Apr 27, 2023
@lino-levan
Copy link

@uki00a can you take a look?

uki00a
uki00a suggested changes Jul 9, 2023
View reviewed changes
Copy link
Member

@uki00a uki00a left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shiyuhang0 Nice work! I've left a few comments, but otherwise it looks good to me overall

@lideming Could you PTAL if you have time?

src/client.ts Show resolved Hide resolved
src/client.ts Outdated Show resolved Hide resolved
src/packets/builders/auth.ts Outdated Show resolved Hide resolved
@shiyuhang0
Copy link
Contributor Author

@uki00a Thank you for your review and I have optimized the code according to your comment. PTAL again.
This pr excludes the mariadb:latest in the GitHub action test to pass all checks.

This test will fail with the following message:

OCI runtime exec failed: exec failed: unable to start container process: exec: "mysql": executable file not found in $PATH: unknown

But it is not the fault of this pr, it will fail even in master #160. I think we can skip this test in this pr and open another pr to fix it.

uki00a
uki00a approved these changes Aug 19, 2023
View reviewed changes
Copy link
Member

@uki00a uki00a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Nice work!

@shiyuhang0
Copy link
Contributor Author

@lideming can this pr be merged?

@lideming lideming merged commit 62cddec into denodrivers:master Aug 22, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uki00a uki00a uki00a approved these changes

@lideming lideming lideming approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: connect using TLS
4 participants
@shiyuhang0 @lino-levan @lideming @uki00a